OSQA is unmaintained. Help us figure out where to go from here.
Frame 1: 69 bytes on wire (552 bits), 69 bytes captured (552 bits)
    Encapsulation type: USER 15 (60)
    Arrival Time: Oct  3, 2017 07:50:05.620600000 SA Pacific Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1507035005.620600000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 69 bytes (552 bits)
    Capture Length: 69 bytes (552 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: user_dlt:data]
DLT: 162
Data (69 bytes)
    Data: 000100046d7470330002003985ec2c0ac80c05011020010a...
    [Length: 69]

asked 06 Oct, 12:18

pagan_barr's gravatar image

pagan_barr
113
accept rate: 0%

edited 06 Oct, 18:57

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

You need to know and configure what protocol should be decoded as user dlt 15. In the user dlt preferences.

(06 Oct, 12:36) Anders ♦

DLT USER 15

(06 Oct, 14:24) pagan_barr

Did you capture this on the Windows 10 machine?

If so, how did you capture it?

If not, on what machine was it captured, and with what software was it captured? There's no standard for encapsulating GSM packets, so Wireshark might, or might not, be able to be told to decode the traffic as GSM packets, depending on how the packets are encapsulated.

(10 Oct, 00:28) Guy Harris ♦♦

DLT 162 is USER_15, that is what the file says. That is one step, now Wireshark knows what it is, a user defined encapsulation. What it doesn't know is how to dissect that, because it doesn't know about this user-defined encapsulation, unless you tell it.

That is where the DLT_USER protocol preference comes in. If you look that up in the Wireshark preferences you'll see that you can edit the Encapsulation table. This table lets you define how to dissect user encapsulations.

It starts off with the DLT you use, then the protocol the data should be dissected as.

If your protocol data is wrapped inside a header and/or trailer these can be dissected as well, but these are a bit more exotic situations.

permanent link

answered 07 Oct, 00:56

Jaap's gravatar image

Jaap ♦
11.6k16101
accept rate: 14%

Thank you. It appears to happen on windows 10.

(09 Oct, 08:43) pagan_barr

It's not really clear (at least to me) from your reaction whether you can see the dissected GSM protocol or not after following @Jaap's advice. If not, does your repeated mentioning of Windows 10 mean that you've tried on other OSes as well (other Windows than 10, Linux, Mac OS) and the same pcap file was dissected fine there?

(09 Oct, 10:27) sindy
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×123
×4
×1

question asked: 06 Oct, 12:18

question was seen: 103 times

last updated: 10 Oct, 00:28

p​o​w​e​r​e​d by O​S​Q​A